178K+ SonicWall Firewalls Vulnerable to DoS, RCE Attacks

Two unauthenticated denial-of-service (DoS) vulnerabilities are threatening the security of SonicWall next-generation firewall devices, exposing more than 178,000 of them to both DoS as well as remote code execution (RCE) attacks.

Though the flaws — tracked respectively as CVE-2022-22274 and CVE-2023-0656 — were discovered a year apart, they are "fundamentally the same," though they each require a different HTTP URI path to exploit, wrote Jon Williams, senior security engineer at security firm BishopFox, in a blog post published yesterday. SonicWall products affected are series 6 and 7 firewalls.

"CVE-2022-22274 and CVE-2023-0656 represent the same vulnerability on different URI paths, an issue which is easily exploited to crash vulnerable devices," he wrote.

High Potential for DoS Attacks on SonicWall Firewalls

Indeed, the potential impact of a widespread attack is "severe," he noted, as attackers can target either or both bugs on vulnerable firewalls to either crash the device or perform RCE, disabling firewalls and potentially allowing entry into corporate networks while knocking out VPN access.

"In its default configuration, SonicOS restarts after a crash, but after three crashes in a short period of time it boots into maintenance mode and requires administrative action to restore normal functionality," Williams explained.

BishopFox researchers used BinaryEdge source data to scan SonicWall firewalls with management interfaces exposed to the Internet and found that out of 233,984 devices discovered, 178,637 are vulnerable to one or both issues.

Though so far there are no reports that either flaw has been exploited in the wild, there is exploit code available for the more recently discovered bug, and BishopFox as well developed its own exploit code for the flaws.

Fortunately for organizations that use the affected SonicWall devices, the latest available firmware protects against both vulnerabilities, and an update can mitigate risk, Williams said.

A Tale of Two Unauthenticated Flaws

Of the two bugs, CVE-2022-22274 — an unauthenticated buffer overflow affecting NGFW web management interfaces discovered in March 2022 — was rated as more dangerous, earning a critical rating of 9.4 on the CVSS versus the 7.5 rating of CVE-2023-0656, which is ostensibly the same type of flaw and discovered about a year later.

A remote, unauthenticated attacker could exploit the flaw via an HTTP request to cause DoS or potentially execute code in the firewall, according to a report by Watchtower Labs on the vulnerability published in October.

BishopFox used that report as the basis for a deeper dive into the mechanics of how CVE-2022-22274 works, and to develop their own exploit code for it. In the process they ultimately discovered CVE-2023-0656 — which the researchers thought might be a zero day but which already had been reported by SonicWall — as well as found that the two flaws are related.

The researchers triggered CVE-2022-22274 through an HTTP request that needed to satisfy two conditions: the URI path must be longer than 1024 bytes, and the HTTP version string must be long enough to cause a stack canary overwrite.

They managed to achieve a DoS attack against vulnerable SonicWall series 6 and 7 virtual appliances, even some patched versions. This is what led them to realize that while CVE-2022-22274 was patched on the firewalls, CVE-2023-0656 was not — and both flaws are caused by the same vulnerable code pattern in a different place, Williams said.

"To our knowledge, no previous research has been published establishing a link between CVE-2022-22274 and CVE-2023-0656," he wrote in the post. "Clearly, both vulnerabilities share the same underlying bug, but the initial patch only fixed the vulnerable code in one place, leaving the other instances to be found and reported a year later."

BishopFox researchers also found that they could "reliably identify" vulnerable devices without knocking them offline by satisfying the first of the conditions of their exploit but not the second, Williams wrote. This elicits different responses from the targeted device "because the buffer overflow check in patched versions causes the connection to be dropped without a response," he wrote.

"We tested this against all five URI paths and found the vulnerability check was reliable across a wide variety of SonicOS versions," Williams said. BishopFox released a Python tool for testing and even exploiting the flaws on SonicWall devices.

Patch & Protect Against SonicWall Cyberattacks

Hundreds of thousands of companies across the globe use SonicWall products, including numerous government agencies and some of the largest enterprises in the world. Their widespread use makes them an attractive attack surface when devices become vulnerable; indeed, attackers have a history of pouncing on SonicWall flaws for ransomware and other attacks.

At this point the danger is not as much in a potential RCE attack as a DoS incident, given the available exploit because attackers would have a few technical hurdles to overcome — including PIE, ASLR, and stack canaries, Williams noted.

"Perhaps a bigger challenge for an attacker is determining in advance what firmware and hardware versions a particular target is using, as the exploit must be tailored to these parameters," he added. "Since no technique is currently known for remotely fingerprinting SonicWall firewalls, the likelihood of attackers leveraging RCE is, in our estimation, still low."

Regardless, network administrators still should take precautions to secure devices. BishopFox is urging network administrators to use the tool the researchers developed to check for vulnerable devices. If found, they should ensure that the management interface of a device is not exposed online, as well as proceed with an update to the latest firmware to secure against a potential DoS attack.